Lost in Translation
Translation makes it possible to exchange information across the globe, regardless of language differences. Translation plays a similar role in industrial internet of things (IIoT) environments where different devices, such as interfaces, sensors, and machines, use different protocols. Protocol gateways handle the translation of these different protocols in an industrial facility, allowing devices to communicate with one another.
What happens when translations are inaccurate or when parts of a message are mistranslated? Trend Micro’s latest research, “Lost in Translation: When Industrial Protocol Translation goes Wrong,” examines the risks related to protocol gateways, the possible impact of an attack or wrong translation, and ways to secure these devices.
Protocol Translation Attacks
Protocol gateways play an important role in industrial networks. Its translation of protocols allows various sensors, actuators, machinery, and computers that operate smart factories, dams, power plants, and water processing facilities to communicate with one another.
Figure 1. Protocol gateways translate different protocols to allow different devices to communicate with one another
We evaluated and tested different protocol gateways to see how a threat actor could use the translation vulnerabilities found in these devices to perform difficult-to-detect attacks against industrial facilities.
Malicious requests from legitimate commands
We found that vulnerabilities in the translation function can allow threat actors to issue stealth commands that can sabotage operational processes. Flaws in certain protocol gateways could allow threat actors to send crafted packets to cause undetected changes once it passes through the protocol gateway.
Crafted packet
(in protocol A)
Malicious request
(in protocol B)
Figure 2. Crafted packets in one protocol could be translated as a malicious request in another
The issue behind this scenario is in the way crafted packets in one protocol can mean malicious commands in another. This makes translation attacks more difficult to detect because the resulting malicious requests came from legitimate commands. In addition, embedded networking devices are difficult to monitor and debug, giving a threat actor a wider attack margin.
Figure 3. Diagram showing the position of the protocol gateway and the point from which threat actors can send crafted packets.
Figure 3 shows the point in the system from which threat actors can send crafted packets. In this example, a malformed packet (in Modbus TCP) was not properly translated as it was blindly forwarded as Modbus RTU. Even common industrial control system (ICS) firewalls might not be able to detect the originating message as it is considered benign. In a real-world scenario, threat actors can issue commands using this method. For example, a threat actor could deactivate critical sensors meant to keep the facility functioning.
Configuration Disclosure and Tampering
In protocol gateways that we categorized as data stations, translation does not happen in real-time. Instead, these gateways match incoming packets to an Input/Output (I/O) mapping table that operational technology (OT) engineers are required to configure manually. We found weaknesses in some protocol gateways that can leave the I/O mapping table exposed. This is dangerous since the I/O mapping table contains crucial information about the ecosystem in which protocol gateways are a part. Threat actors who gain access to the I/O mapping table could gain visibility over this ecosystem, enabling them to conduct more targeted and precise attacks.
Figure 4. A sample network topology that includes the protocol gateway, and its position relative to other devices
Unauthorized modification to the I/O mapping table will also tamper with the mapping and damage the logic. This could also affect the operation of the human-machine interface (HMI), programmable logic controllers (PLCs), and devices connected to the protocol gateway. This is something we were able to demonstrate in detail in our research.
Unforeseen Exposures
Adding to the risk of exposure of protocol gateways and its ecosystems, we also discovered vulnerabilities that could allow threat actors to reuse credentials and decrypt configuration data.
The research paper discusses these in detail, including the denial-of-service (DoS) conditions we discovered. Each of these flaws could significantly affect a facility, as threat actors can use them to issue undetected commands or decrypt useful information.
Further implications include the possibility of a threat actor using techniques such as denial of view and denial of control against ICS equipment, or manipulation of view and manipulation of control to affect the integrity of various processes. These techniques can prevent engineers from controlling and monitoring smart factories, power plants, and other critical facilities. In turn, denial of control can result in a facility’s failure to deliver essential output such as power and water or compromise the quality of manufactured products.
By themselves, protocol gateways are likely not directly involved in the product or the output of a facility. However, they are a crucial link in the flow of information between different sensors, interfaces, devices, and machinery within a facility.
Operators need to be able to see and trust the data of the facility and take action to prevent accidents or potential production issues. Vulnerable or exposed protocol gateways can allow threat actors to compromise the integrity of the reported data, the operators’ ability to view data, or prevent operators from taking action.
In our research, we wanted to see if a small flaw in the protocol translation’s design could result in critical issues for the whole production network. We found that subtle attacks could potentially result in significant impact without being noticed. This issue highlights that in an industrial facility, security coverage should also include these often overlooked devices.
For more on protocol translation device vulnerabilities and threat scenarios, as well as detailed security recommendations for protecting protocol gateways, read the research paper, “Lost in Translation: When Industrial Protocol Translation goes Wrong.”